New in October 2010

Just when I had resigned myself to the notion that the computer security industry
doesn’t care to invest in reverse engineering, along comes the Stuxnet worm and
numerous investigations in which investment by each of any number of security companies
is apparently to be measured in man-months. Of course, reports that have taken man-months
would want to be detailed, and though I’m not shaken in my belief that competition
in reverse engineering, as practised by the computer security industry, is less
about the quality of the work than the unsupported use of terms such as “in-depth”
and “comprehensive”, I must admit that a quick look at Stuxnet confirmed that most
of it surely had been mined at least well enough that I would not find much to add
except by committing to a full study. I can’t now catch up on others’ man-months,
but within the constraints of what I will do for free, I did find one perspective
that seemed novel enough to justify spending a little time to write up most of what
I know about one Stuxnet component: one of the kernel-mode drivers looks to have
been written independently of everything else in Stuxnet, as a general loader of
almost arbitrary user-mode malware.

Before moving on, it occurred to me that although everyone surely has realised
that to talk of Stuxnet exploiting a vulnerability in .LNK files is to shoot the
messenger, someone ought to note it explicitly. Indeed, the coding oversight that’s
depended on isn’t any sort of parsing error in .LNK files, as Microsoft and some
supposed experts would have you believe, but is instead that the Control Panel is
not nearly defensive enough about what it executes. Shortcut files just present
the best vector for exploiting the vulnerability.
You may think this is nit-picking, but if defect and vector are not differentiated,
the defect may not be properly fixed and other vectors may go unexamined.

I’m biased, unsurprisingly, but I think a substantial opportunity was missed
by not having me on hand to have got started on Stuxnet in June or July. Look around
my other write-ups on malware. If you agree with me that I bring a new level of
detail to such studies and you have a budget, then make me an offer for my services.
After all, if you’re going to commit man-months to reverse-engineering some malware,
don’t you want it done by the best you can get? It may even turn out that you don’t
need as many man-months to do the same as your competitors, and you stand to find
things out that they don’t.